Last updated: September 2021
In the United States, Illinois and Texas, among other jurisdictions, have passed laws that have notice and consent requirements for how companies use, share, and store biometric information that can be used to identify individuals. If you have drivers who reside in those states, those laws may apply to your use of Camera ID. The City of Portland has also passed an ordinance that prohibits certain uses of facial recognition technologies by private entities although exemptions are available. For more information about Camera ID, including our retention of biometric features, see Special Features.
The law in this area is changing rapidly. The information provided is not intended to be legal advice or a substitute for legal advice. If you have any questions, please contact privacy@samsara.com.
Summary of Key Requirements
-
Illinois: The Illinois law (here) requires companies to inform individuals in writing that their biometric information is being collected or stored; inform them of the specific purpose and length of term for which the biometric information is being collected, stored, and used; and also to obtain consent from them or their legally authorized representative in a written release. In addition, companies have to make a written policy available to the public about how they retain and destroy biometric information.
-
Texas: The Texas law (here) requires companies to inform individuals before capturing their biometric information for commercial purposes and obtain their consent to capture it.
-
City of Portland: The City’s ordinance (here) prohibits the use of face recognition technologies by private entities in places of public accommodation within Portland city limits. The law provides an exemption, however, “[f]or user verification purposes by an individual to access the individual’s own personal or employer issued communication and electronic devices.” To the extent that your use of Camera ID is prohibited by the Portland ordinance, you can disable Camera ID in your Dashboard settings.
The following examples show what this might look like for some customers using Camera ID. Before using these examples, you should make sure they work for your specific intended use of Camera ID.
|
Consent to Collection of Biometric Information We use Samsara’s hardware and software technology to manage our fleet and improve driver safety. Your images will be collected and stored by [insert company name] for purposes of assigning drivers to vehicles, trips, and harsh driving events in the Samsara dashboard using the Camera ID feature. To enable this feature, [insert company name] will share your images with Samsara Inc. to provide the facial recognition functionalities of the Samsara dashboard using biometric information derived from those images. Your biometric information will be permanently deleted from systems used by Samsara within a reasonable time after your employment with the company ends, not to exceed three years from that date. More information about Camera ID may be found at Samsara’s website: https://www.samsara.com/support/privacy/special-features. [Optional for Texas but required for Illinois: A copy of our Biometric Information Policy is available on request.] By signing below, you consent to [insert company name]’s collection, use, disclosure, and storage of your biometric information as described above. Signature: ________________________ Name: ________________________ Date: ________________________ |
|
[Insert Company Name]Biometric Information Policy Purpose We use Samsara’s hardware and software technology to manage our fleet and improve driver safety. Samsara’s Camera ID feature uses biometric information to enable us to assign drivers to vehicles, trips, and harsh driving events in the Samsara dashboard. This enhances safety by increasing the efficacy of Samsara’s driver-based insights and also helps us maintain accurate logs of our operations. Policy Our policy is to protect and store biometric information in accordance with applicable laws and regulations, including, but not limited to, the Illinois Biometric Information Privacy Act. Retention and Destruction of Biometric Information We will permanently destroy an employee’s biometric information from our systems, or the systems used by our vendor(s), within a reasonable time following that employee’s termination from [insert company name]. In any event, we will destroy the biometric information within three years of your last interaction with [insert company name]. |
Last updated: September 2021
Samsara recommends always receiving consent before collecting sensitive personal information from individuals. In the European Union and the United Kingdom, the UK/EU General Data Protection Regulation (“GDPR”) and the laws of EU Member States contain requirements for how companies can use, share, store, or otherwise process “biometric” information that can be used to identify individuals, including some of the information used by Camera ID. For more information about Camera ID, including our retention of biometric features, see Special Features.
Summary of Key UK/EU GDPR Requirements
-
The UK/EU GDPR treats “biometric data for the purpose of uniquely identifying a natural person” as a special category of personal data. Thus, entities wishing to process such data must ensure they have an appropriate legal basis to do so.
-
As for other features like audio recording and collection of location data, it is important to weigh the privacy impact of those features against your intended use.
-
The law in this area is changing rapidly. The information provided is not intended to be legal advice or a substitute for legal advice. If you have any questions, please contact privacy@samsara.com.
Last updated: September 2021
Samsara recommends always receiving consent before collecting sensitive personal information from individuals. In Canada, Canadian privacy laws contain requirements for how companies can collect, use, share, store, or otherwise process personal information. Biometric information, including the biometric information collected and used by Camera ID, is considered personal information under Canadian privacy laws, and is considered sensitive. As such, explicit and informed consent is generally required for its collection and use.
In the Canadian province of Quebec, there are additional conditions and restrictions for the collection and use of biometric information. These are set out in sections 44 and 45 of Quebec’s Act to establish a legal framework for information technology (here) and include (but are not limited to):
-
A requirement that a person’s identity not be verified or confirmed by means of a process that allows biometric characteristics or measurements to be recorded, except with the express consent of the person concerned. An express consent must be voluntary, which means that the individual must be provided with an alternative if they do not consent.
-
A requirement that the Commission d’accès à l’information (CAI) be notified in advance of the creation of a database of biometric characteristics and measurements.
The CAI has published a guide discussing these and other applicable requirements here. Additionally, in Quebec, organizations must ensure that their collection and use of biometric information complies with the Quebec Charter of Human Rights and Freedoms.
For more information about Camera ID, including our retention of biometric features, click here.
Summary of Key Canadian Privacy Law Requirements
-
Canadian privacy laws consider biometric information to be sensitive personal information. Thus, entities wishing to process such data must generally obtain informed and explicit consent to do so.
-
As is the case for other features like audio and video recording and collection of location data, it is important to weigh the privacy impact of collecting and using biometric information against your intended use. Canadian privacy laws require that the collection and use of personal information be limited to what is reasonable and necessary in the circumstances.
-
Since biometric information is personal information, it must be processed in compliance with all other requirements of Canadian privacy laws, including requirements relating to information security, limiting retention, data subject rights and transparency.
-
Additional requirements and restrictions apply if collecting and using biometric information in the province of Quebec.
The law in this area is changing rapidly. The information provided is not intended to be legal advice or a substitute for legal advice. If you have any questions, please contact privacy@samsara.com.
Comments
0 comments
Please sign in to leave a comment.